Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependencies declared in a platform are excluded unless applyMavenExclusions is set to false #368

Closed
PeterFokkinga opened this issue Oct 19, 2023 · 9 comments
Closed

Dependencies declared in a platform are excluded unless applyMavenExclusions is set to false #368

PeterFokkinga opened this issue Oct 19, 2023 · 9 comments
Labels
type: regression
Milestone
1.1.4

Comments

@PeterFokkinga
Copy link

This is similar / a continuation of issue #360 (which was closed as resolved) and #361 where we were asked for a minimal example that reproduces the problem remaining.

The following build.gradle works (using gradle 8.4)

plugins {
    id 'java'
    id 'io.spring.dependency-management' version '1.1.0'
}

repositories {
    mavenCentral()
    maven {
        url = uri("https://maven.pkg.github.com/PeterFokkinga/spring-dependency-issue")
    }
}

dependencies {
    implementation platform('nl.fokkinga:simple-bom:0.9')
}
image

But with dependency-management 1.1.1 / 1.1.2 and 1.1.3 the transient dependencies are not found:
image

This issue prevents us from updating Spring-boot in our projects to a version newer than 3.1.1
@wilkinsona
Copy link
Contributor

Thanks for the report, @PeterFokkinga.

This issue prevents us from updating Spring-boot in our projects to a version newer than 3.1.1

That need not be the case. You can use Spring Boot 3.1.2 and later with 1.1.0 of the dependency management plugin. One way to do that is by forcing its version:

buildscript {
	configurations.classpath.resolutionStrategy {
		force 'io.spring.gradle:dependency-management-plugin:1.1.0'
	}
}

@wilkinsona
Copy link
Contributor

wilkinsona commented Oct 19, 2023
edited
Loading

@PeterFokkinga the sample doesn't work due to a 401 response:

401 Unauthorized: https://maven.pkg.github.com/PeterFokkinga/spring-dependency-issue/nl/fokkinga/simple-bom/0.9/simple-bom-0.9.pom

Edit: never mind, I can reproduce it by publishing the platform locally and referring to that.

@wilkinsona
Copy link
Contributor

Another workaround:

dependencyManagement {
    applyMavenExclusions = false
}

@PeterFokkinga
Copy link
Author

Thanks for the workarounds, I can confirm that we can use Spring-boot 3.1.4 in our projects with

plugins {
...
    id 'org.springframework.boot' version '3.1.4'
    id 'io.spring.dependency-management' version '1.1.3'
}
...
dependencyManagement {
    applyMavenExclusions = false
}
...

(or use 1.1.0 as long as applyMavenExclusions = false is provided)

@wilkinsona wilkinsona changed the title platform dependencies broken since 1.1.1 Dependencies declared in a platform are excluded unless applyMavenExclusions is set to false Oct 19, 2023
@wilkinsona wilkinsona added this to the 1.1.4 milestone Oct 19, 2023
@wilkinsona
Copy link
Contributor

The minimal example now works with 1.1.4-SNAPSHOT. @PeterFokkinga it'd be great if you could give it a try in your real project and confirm the fix. You can use 1.1.4-SNAPSHOT by adding the following to settings.gradle:

pluginManagement {
	repositories {
		maven { url "https://repo.spring.io/plugins-snapshot" }
	}
}

@PeterFokkinga
Copy link
Author

@wilkinsona 1.1.4-SNAPSHOT works partially. When I replace the workaround with 1.1.4-SNAPSHOT the project including tests compile, but the tests won't run with "java.lang.ClassNotFoundException: okio.Buffer"

Looking into it I see that the com.squareup.okio package is not in the list of dependencies when using 1.1.4-SNAPSHOT whereas it is when using the workaround. It comes from rather deep down, and by using a constraint (note that the okhttp3 package is in the dependencies when using 1.1.4-SNAPSHOT)

project
 +--- implementation platform('nl.rug.education:rug-bom-implementation:1.0.10')
           +--- api 'nl.rug.education:education-lib:1.6.29'
                     +--- api 'nl.rug.commons:rug-commons-brightspace:2.5.7'  
                                  constraints {
                                          implementation('com.squareup.okio:okio') {
                                              version {
                                                  require '3.6.0'
                                                  prefer 'latest.release'
                                                  reject '3.2.0'
                                              }
                                              because '3.2.0 as used by okhttp3 has known vulnerabilities'
                                          }
                                      }
                                      implementation group: 'com.squareup.okhttp3', name: 'okhttp', version: '4.11.0'

Hope this gives a clue.

@wilkinsona wilkinsona reopened this Oct 19, 2023
@wilkinsona
Copy link
Contributor

wilkinsona commented Oct 23, 2023
edited
Loading

Thanks for trying the snapshot.

I think the latest part of the problem should now be fixed too. Please give the new snapshot a try (with --refresh-dependencies if necessary) and let me know if that's not the case.

@PeterFokkinga
Copy link
Author

@wilkinsona the current 1.1.4-SNAPSHOT works perfectly!

@wilkinsona
Copy link
Contributor

Great! Thanks for giving it a try, @PeterFokkinga.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: regression
Projects
None yet
Milestone
1.1.4
Development

No branches or pull requests
3 participants
@wilkinsona @PeterFokkinga @spring-projects-issues